Since the inception of cloud, the number one inhibitor of adoption has been security. What’s changed is that the concern is no longer about security of the cloud itself, but security of the apps being deployed in the cloud. Organizations have had a decade now to watch with bated breath for an attack of epic proportions to justify initial fears regarding cloud security. That attack has not yet materialized and we’ve long since moved past that as a factor in whether we deploy an app in the public cloud or not. Our fears are now more app-centric, relating to the way in which we protect those applications we want to deploy externally.
Make no mistake; those fears persist. When asked about security concerns relative to the cloud, organizations are quick to point out capabilities they see as critical for cloud adoption: Encryption of data at rest and in flight; VPN connectivity; tokenization of data; and parity of policy to ensure compliance with regulatory and corporate dictates. These are the concerns organizations have today, and they are a major factor when it comes to making decisions regarding the deployment of applications.
Security services – IDS/IPS, firewalls, web application firewalls (WAF), and DDoS protection – have risen to the top of the list with respect to the capabilities IT professionals will not deploy an application without. If any of those services are missing, there's no deployment. Over the past year, we’ve seen public cloud providers begin to address these concerns by offering a more robust set of security services natively in the cloud. That’s the good news. The bad news is that these services remain rooted in an operational paradigm unique to the provider.
The security services available from Amazon are not compatible nor will they migrate to Microsoft Azure or Google Cloud. The automation and integration of those services with corporate standards and operational processes remains elusive. The parity of process and policy remains a stumbling block for organizations seeking to constrain complexity as they extend their environments into public cloud environments.
This is problematic and inhibits adoption, despite the dismissal of such concerns by purist pundits who tout not “cloud first,” but “cloud only” with the fervent zeal of a prophet. Organizations leery of public cloud adoption have legitimate concerns regarding the security of the applications they are considering for cloud deployments. They have a need for the security services they rely on to detect, prevent, and ultimately protect the apps and data they are considering exposing by deploying in a public cloud. These services are the application’s “security blanket,” allowing it to be deployed in far-flung data centers operated by faceless admins across the globe.
Borderless business is the new norm, requiring careful attention to the new perimeters forming around each individual application. These perimeters are defined by access and security services that envelope each application with their own set of protections against the mounting forces of attackers who seek the value hidden within every application: corporate and consumer data.
Cloud providers are quick to point out that security in the public cloud is based on a model of shared responsibility. Providers are responsible for the security of the environment they supply: the network, the base infrastructure, and the host systems. Everything else is up to the customer.
Indeed, the breaches of applications deployed in public clouds thus far have all been above the fold, as it were, at the application layer. Whether due to stolen credentials or vulnerabilities in the application stack, successful attacks target not the cloud provider network, but the application itself. This makes the deployment of security services designed to shield applications from attack such as DDoS protection and WAF, along with services to prevent unauthorized access like identity management and firewalls, even more critical in the cloud.
It’s not enough to consider application suitability for the public cloud alone. Like pairing wines, when considering which cloud environment to pair with an application, organizations must evaluate their ability to deploy the entire application architecture, including its complementary security services.
Hear more from Lori MacVittie live and in person at her session "Operationalizing IT With Automation and APIs" at Interop ITX, May 15-19 in Las Vegas. She also will be on a panel of experts at the Open Source Summit. Register for Interop ITX today!